A critical Local File Inclusion vulnerability in the BetterDocs Pro plugin for WordPress allows unauthenticated attackers to achieve remote code execution.

This is a Local File Inclusion (LFI) vulnerability residing in the doc_style parameter. It allows unauthenticated attackers to include and execute arbitrary PHP files on the server, resulting in potential full system compromise.

The ability for an unauthenticated attacker to execute arbitrary code poses a catastrophic risk to business operations. This vulnerability could lead to total server compromise, unauthorized access to sensitive application data, and potential lateral movement within the network. With a CVSS score of 9.8, this flaw is categorized as critical and requires immediate attention to prevent data breaches or service degradation.

Immediate Action: Update the BetterDocs Pro plugin to the latest available version provided by the vendor.

Proactive Monitoring: Monitor server access logs for anomalous requests containing path traversal patterns or unexpected file inclusions targeting the doc_style parameter.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common LFI patterns and directory traversal attempts directed at the WordPress plugin directory.

Public Exploit Available: Unknown

Given the critical nature of this vulnerability and the lack of required authentication, it is imperative that all organizations using the BetterDocs Pro plugin prioritize this update. Failure to remediate immediately leaves the host server vulnerable to complete compromise. Ensure all systems are patched and verify the integrity of the WordPress installation post-update.